Mercurial > hg > nginx-tests
annotate ssl_session_reuse.t @ 1851:0351dee227a8
Tests: unbreak tests with dynamic certificates on stable.
In 74cffa9d4c43, ticket based session reuse is enabled in addition to
using a shared SSL session cache. This changed how a session can be
resumed in a different server:
- for a session ID based resumption, it is resumed in the same context
- when using session tickets, a key name is also checked for matching
- with a ticket callback, this is skipped in favor of callback's logic
This makes 'session id context match' tests fail with session tickets
on stable since ticket key names are unique in distinct SSL contexts.
On the other hand, tests pass on 1.23.2+ due to automatic ticket keys
rotation that installs ticket callback, and using a common shared SSL
session cache.
author | Sergey Kandaurov <pluknet@nginx.com> |
---|---|
date | Tue, 28 Mar 2023 01:36:32 +0400 |
parents | 8dec885fa3da |
children | cdcd75657e52 |
rev | line source |
---|---|
370
74cfe56c7b83
Tests: simple https tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
1 #!/usr/bin/perl |
74cfe56c7b83
Tests: simple https tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
2 |
664
97660514e518
Tests: more http ssl tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
503
diff
changeset
|
3 # (C) Andrey Zelenkov |
1829
a78c32419f02
Tests: separate SSL session reuse tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1820
diff
changeset
|
4 # (C) Maxim Dounin |
370
74cfe56c7b83
Tests: simple https tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
5 # (C) Nginx, Inc. |
74cfe56c7b83
Tests: simple https tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
6 |
1829
a78c32419f02
Tests: separate SSL session reuse tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1820
diff
changeset
|
7 # Tests for http ssl module, session reuse. |
370
74cfe56c7b83
Tests: simple https tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
8 |
74cfe56c7b83
Tests: simple https tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
9 ############################################################################### |
74cfe56c7b83
Tests: simple https tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
10 |
74cfe56c7b83
Tests: simple https tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
11 use warnings; |
74cfe56c7b83
Tests: simple https tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
12 use strict; |
74cfe56c7b83
Tests: simple https tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
13 |
74cfe56c7b83
Tests: simple https tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
14 use Test::More; |
74cfe56c7b83
Tests: simple https tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
15 |
74cfe56c7b83
Tests: simple https tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
16 BEGIN { use FindBin; chdir($FindBin::Bin); } |
74cfe56c7b83
Tests: simple https tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
17 |
74cfe56c7b83
Tests: simple https tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
18 use lib 'lib'; |
74cfe56c7b83
Tests: simple https tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
19 use Test::Nginx; |
74cfe56c7b83
Tests: simple https tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
20 |
74cfe56c7b83
Tests: simple https tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
21 ############################################################################### |
74cfe56c7b83
Tests: simple https tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
22 |
74cfe56c7b83
Tests: simple https tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
23 select STDERR; $| = 1; |
74cfe56c7b83
Tests: simple https tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
24 select STDOUT; $| = 1; |
74cfe56c7b83
Tests: simple https tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
25 |
430
a82b02635614
Tests: skip ssl tests with ancient IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
397
diff
changeset
|
26 eval { require IO::Socket::SSL; }; |
370
74cfe56c7b83
Tests: simple https tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
27 plan(skip_all => 'IO::Socket::SSL not installed') if $@; |
430
a82b02635614
Tests: skip ssl tests with ancient IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
397
diff
changeset
|
28 eval { IO::Socket::SSL::SSL_VERIFY_NONE(); }; |
a82b02635614
Tests: skip ssl tests with ancient IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
397
diff
changeset
|
29 plan(skip_all => 'IO::Socket::SSL too old') if $@; |
370
74cfe56c7b83
Tests: simple https tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
30 |
1829
a78c32419f02
Tests: separate SSL session reuse tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1820
diff
changeset
|
31 my $t = Test::Nginx->new()->has(qw/http http_ssl rewrite/) |
a78c32419f02
Tests: separate SSL session reuse tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1820
diff
changeset
|
32 ->has_daemon('openssl')->plan(8); |
370
74cfe56c7b83
Tests: simple https tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
33 |
1068
d0ec761774a5
Tests: client certificate issuer/subject variables.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1067
diff
changeset
|
34 $t->write_file_expand('nginx.conf', <<'EOF'); |
370
74cfe56c7b83
Tests: simple https tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
35 |
74cfe56c7b83
Tests: simple https tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
36 %%TEST_GLOBALS%% |
74cfe56c7b83
Tests: simple https tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
37 |
74cfe56c7b83
Tests: simple https tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
38 daemon off; |
74cfe56c7b83
Tests: simple https tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
39 |
74cfe56c7b83
Tests: simple https tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
40 events { |
74cfe56c7b83
Tests: simple https tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
41 } |
74cfe56c7b83
Tests: simple https tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
42 |
74cfe56c7b83
Tests: simple https tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
43 http { |
74cfe56c7b83
Tests: simple https tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
44 %%TEST_GLOBALS_HTTP%% |
74cfe56c7b83
Tests: simple https tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
45 |
664
97660514e518
Tests: more http ssl tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
503
diff
changeset
|
46 ssl_certificate_key localhost.key; |
97660514e518
Tests: more http ssl tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
503
diff
changeset
|
47 ssl_certificate localhost.crt; |
1675
0d1cec688111
Tests: logging ssl variables with lingering close.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1655
diff
changeset
|
48 |
370
74cfe56c7b83
Tests: simple https tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
49 server { |
1829
a78c32419f02
Tests: separate SSL session reuse tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1820
diff
changeset
|
50 listen 127.0.0.1:8443 ssl; |
370
74cfe56c7b83
Tests: simple https tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
51 server_name localhost; |
74cfe56c7b83
Tests: simple https tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
52 |
1514
c6f27bcdd9d9
Tests: revised ssl.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1488
diff
changeset
|
53 location / { |
370
74cfe56c7b83
Tests: simple https tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
54 return 200 "body $ssl_session_reused"; |
74cfe56c7b83
Tests: simple https tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
55 } |
664
97660514e518
Tests: more http ssl tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
503
diff
changeset
|
56 location /protocol { |
97660514e518
Tests: more http ssl tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
503
diff
changeset
|
57 return 200 "body $ssl_protocol"; |
97660514e518
Tests: more http ssl tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
503
diff
changeset
|
58 } |
97660514e518
Tests: more http ssl tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
503
diff
changeset
|
59 } |
97660514e518
Tests: more http ssl tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
503
diff
changeset
|
60 |
97660514e518
Tests: more http ssl tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
503
diff
changeset
|
61 server { |
1829
a78c32419f02
Tests: separate SSL session reuse tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1820
diff
changeset
|
62 listen 127.0.0.1:8444 ssl; |
664
97660514e518
Tests: more http ssl tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
503
diff
changeset
|
63 server_name localhost; |
97660514e518
Tests: more http ssl tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
503
diff
changeset
|
64 |
1829
a78c32419f02
Tests: separate SSL session reuse tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1820
diff
changeset
|
65 ssl_session_cache shared:SSL:1m; |
a78c32419f02
Tests: separate SSL session reuse tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1820
diff
changeset
|
66 ssl_session_tickets on; |
664
97660514e518
Tests: more http ssl tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
503
diff
changeset
|
67 |
1829
a78c32419f02
Tests: separate SSL session reuse tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1820
diff
changeset
|
68 location / { |
a78c32419f02
Tests: separate SSL session reuse tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1820
diff
changeset
|
69 return 200 "body $ssl_session_reused"; |
a78c32419f02
Tests: separate SSL session reuse tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1820
diff
changeset
|
70 } |
a78c32419f02
Tests: separate SSL session reuse tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1820
diff
changeset
|
71 } |
a78c32419f02
Tests: separate SSL session reuse tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1820
diff
changeset
|
72 |
a78c32419f02
Tests: separate SSL session reuse tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1820
diff
changeset
|
73 server { |
a78c32419f02
Tests: separate SSL session reuse tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1820
diff
changeset
|
74 listen 127.0.0.1:8445 ssl; |
a78c32419f02
Tests: separate SSL session reuse tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1820
diff
changeset
|
75 server_name localhost; |
a78c32419f02
Tests: separate SSL session reuse tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1820
diff
changeset
|
76 |
a78c32419f02
Tests: separate SSL session reuse tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1820
diff
changeset
|
77 ssl_session_cache shared:SSL:1m; |
a78c32419f02
Tests: separate SSL session reuse tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1820
diff
changeset
|
78 ssl_session_tickets off; |
664
97660514e518
Tests: more http ssl tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
503
diff
changeset
|
79 |
97660514e518
Tests: more http ssl tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
503
diff
changeset
|
80 location / { |
97660514e518
Tests: more http ssl tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
503
diff
changeset
|
81 return 200 "body $ssl_session_reused"; |
97660514e518
Tests: more http ssl tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
503
diff
changeset
|
82 } |
97660514e518
Tests: more http ssl tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
503
diff
changeset
|
83 } |
97660514e518
Tests: more http ssl tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
503
diff
changeset
|
84 |
97660514e518
Tests: more http ssl tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
503
diff
changeset
|
85 server { |
1829
a78c32419f02
Tests: separate SSL session reuse tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1820
diff
changeset
|
86 listen 127.0.0.1:8446 ssl; |
664
97660514e518
Tests: more http ssl tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
503
diff
changeset
|
87 server_name localhost; |
97660514e518
Tests: more http ssl tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
503
diff
changeset
|
88 |
1829
a78c32419f02
Tests: separate SSL session reuse tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1820
diff
changeset
|
89 ssl_session_cache builtin; |
a78c32419f02
Tests: separate SSL session reuse tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1820
diff
changeset
|
90 ssl_session_tickets off; |
664
97660514e518
Tests: more http ssl tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
503
diff
changeset
|
91 |
97660514e518
Tests: more http ssl tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
503
diff
changeset
|
92 location / { |
97660514e518
Tests: more http ssl tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
503
diff
changeset
|
93 return 200 "body $ssl_session_reused"; |
97660514e518
Tests: more http ssl tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
503
diff
changeset
|
94 } |
97660514e518
Tests: more http ssl tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
503
diff
changeset
|
95 } |
97660514e518
Tests: more http ssl tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
503
diff
changeset
|
96 |
97660514e518
Tests: more http ssl tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
503
diff
changeset
|
97 server { |
1829
a78c32419f02
Tests: separate SSL session reuse tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1820
diff
changeset
|
98 listen 127.0.0.1:8447 ssl; |
664
97660514e518
Tests: more http ssl tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
503
diff
changeset
|
99 server_name localhost; |
97660514e518
Tests: more http ssl tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
503
diff
changeset
|
100 |
1829
a78c32419f02
Tests: separate SSL session reuse tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1820
diff
changeset
|
101 ssl_session_cache builtin:1000; |
a78c32419f02
Tests: separate SSL session reuse tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1820
diff
changeset
|
102 ssl_session_tickets off; |
664
97660514e518
Tests: more http ssl tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
503
diff
changeset
|
103 |
97660514e518
Tests: more http ssl tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
503
diff
changeset
|
104 location / { |
97660514e518
Tests: more http ssl tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
503
diff
changeset
|
105 return 200 "body $ssl_session_reused"; |
97660514e518
Tests: more http ssl tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
503
diff
changeset
|
106 } |
97660514e518
Tests: more http ssl tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
503
diff
changeset
|
107 } |
97660514e518
Tests: more http ssl tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
503
diff
changeset
|
108 |
97660514e518
Tests: more http ssl tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
503
diff
changeset
|
109 server { |
1829
a78c32419f02
Tests: separate SSL session reuse tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1820
diff
changeset
|
110 listen 127.0.0.1:8448 ssl; |
664
97660514e518
Tests: more http ssl tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
503
diff
changeset
|
111 server_name localhost; |
97660514e518
Tests: more http ssl tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
503
diff
changeset
|
112 |
1829
a78c32419f02
Tests: separate SSL session reuse tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1820
diff
changeset
|
113 ssl_session_cache none; |
a78c32419f02
Tests: separate SSL session reuse tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1820
diff
changeset
|
114 ssl_session_tickets off; |
664
97660514e518
Tests: more http ssl tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
503
diff
changeset
|
115 |
97660514e518
Tests: more http ssl tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
503
diff
changeset
|
116 location / { |
97660514e518
Tests: more http ssl tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
503
diff
changeset
|
117 return 200 "body $ssl_session_reused"; |
97660514e518
Tests: more http ssl tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
503
diff
changeset
|
118 } |
370
74cfe56c7b83
Tests: simple https tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
119 } |
1655
666d54ab5036
Tests: ssl_session_timeout fixes.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1608
diff
changeset
|
120 |
666d54ab5036
Tests: ssl_session_timeout fixes.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1608
diff
changeset
|
121 server { |
1829
a78c32419f02
Tests: separate SSL session reuse tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1820
diff
changeset
|
122 listen 127.0.0.1:8449 ssl; |
1655
666d54ab5036
Tests: ssl_session_timeout fixes.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1608
diff
changeset
|
123 server_name localhost; |
666d54ab5036
Tests: ssl_session_timeout fixes.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1608
diff
changeset
|
124 |
1829
a78c32419f02
Tests: separate SSL session reuse tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1820
diff
changeset
|
125 ssl_session_cache off; |
a78c32419f02
Tests: separate SSL session reuse tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1820
diff
changeset
|
126 ssl_session_tickets off; |
1655
666d54ab5036
Tests: ssl_session_timeout fixes.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1608
diff
changeset
|
127 |
666d54ab5036
Tests: ssl_session_timeout fixes.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1608
diff
changeset
|
128 location / { |
666d54ab5036
Tests: ssl_session_timeout fixes.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1608
diff
changeset
|
129 return 200 "body $ssl_session_reused"; |
666d54ab5036
Tests: ssl_session_timeout fixes.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1608
diff
changeset
|
130 } |
666d54ab5036
Tests: ssl_session_timeout fixes.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1608
diff
changeset
|
131 } |
370
74cfe56c7b83
Tests: simple https tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
132 } |
74cfe56c7b83
Tests: simple https tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
133 |
74cfe56c7b83
Tests: simple https tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
134 EOF |
74cfe56c7b83
Tests: simple https tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
135 |
74cfe56c7b83
Tests: simple https tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
136 $t->write_file('openssl.conf', <<EOF); |
74cfe56c7b83
Tests: simple https tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
137 [ req ] |
1488
dbce8fb5f5f8
Tests: align with OpenSSL security level 2.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1478
diff
changeset
|
138 default_bits = 2048 |
370
74cfe56c7b83
Tests: simple https tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
139 encrypt_key = no |
74cfe56c7b83
Tests: simple https tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
140 distinguished_name = req_distinguished_name |
74cfe56c7b83
Tests: simple https tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
141 [ req_distinguished_name ] |
74cfe56c7b83
Tests: simple https tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
142 EOF |
74cfe56c7b83
Tests: simple https tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
143 |
74cfe56c7b83
Tests: simple https tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
144 my $d = $t->testdir(); |
74cfe56c7b83
Tests: simple https tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
145 |
1829
a78c32419f02
Tests: separate SSL session reuse tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1820
diff
changeset
|
146 foreach my $name ('localhost') { |
370
74cfe56c7b83
Tests: simple https tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
147 system('openssl req -x509 -new ' |
1220
0af58b78df35
Tests: removed single quotes from system() calls.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1139
diff
changeset
|
148 . "-config $d/openssl.conf -subj /CN=$name/ " |
0af58b78df35
Tests: removed single quotes from system() calls.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1139
diff
changeset
|
149 . "-out $d/$name.crt -keyout $d/$name.key " |
370
74cfe56c7b83
Tests: simple https tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
150 . ">>$d/openssl.out 2>&1") == 0 |
74cfe56c7b83
Tests: simple https tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
151 or die "Can't create certificate for $name: $!\n"; |
74cfe56c7b83
Tests: simple https tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
152 } |
74cfe56c7b83
Tests: simple https tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
153 |
1139
e7e968e3eb74
Tests: split ssl.t to run relevant tests on stable versions again.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1132
diff
changeset
|
154 $t->run(); |
370
74cfe56c7b83
Tests: simple https tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
155 |
74cfe56c7b83
Tests: simple https tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
156 ############################################################################### |
74cfe56c7b83
Tests: simple https tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
157 |
1829
a78c32419f02
Tests: separate SSL session reuse tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1820
diff
changeset
|
158 # session reuse: |
a78c32419f02
Tests: separate SSL session reuse tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1820
diff
changeset
|
159 # |
a78c32419f02
Tests: separate SSL session reuse tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1820
diff
changeset
|
160 # - only tickets, the default |
a78c32419f02
Tests: separate SSL session reuse tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1820
diff
changeset
|
161 # - tickets and shared cache, should work always |
a78c32419f02
Tests: separate SSL session reuse tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1820
diff
changeset
|
162 # - only shared cache |
a78c32419f02
Tests: separate SSL session reuse tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1820
diff
changeset
|
163 # - only builtin cache |
a78c32419f02
Tests: separate SSL session reuse tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1820
diff
changeset
|
164 # - only builtin cache with explicitly configured size |
a78c32419f02
Tests: separate SSL session reuse tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1820
diff
changeset
|
165 # - only cache none |
a78c32419f02
Tests: separate SSL session reuse tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1820
diff
changeset
|
166 # - only cache off |
1514
c6f27bcdd9d9
Tests: revised ssl.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1488
diff
changeset
|
167 |
1829
a78c32419f02
Tests: separate SSL session reuse tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1820
diff
changeset
|
168 TODO: { |
a78c32419f02
Tests: separate SSL session reuse tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1820
diff
changeset
|
169 local $TODO = 'no TLSv1.3 sessions, old Net::SSLeay' |
a78c32419f02
Tests: separate SSL session reuse tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1820
diff
changeset
|
170 if $Net::SSLeay::VERSION < 1.88 && test_tls13(); |
a78c32419f02
Tests: separate SSL session reuse tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1820
diff
changeset
|
171 local $TODO = 'no TLSv1.3 sessions, old IO::Socket::SSL' |
a78c32419f02
Tests: separate SSL session reuse tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1820
diff
changeset
|
172 if $IO::Socket::SSL::VERSION < 2.061 && test_tls13(); |
1830
8dec885fa3da
Tests: LibreSSL and BoringSSL session reuse with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1829
diff
changeset
|
173 local $TODO = 'no TLSv1.3 sessions in LibreSSL' |
8dec885fa3da
Tests: LibreSSL and BoringSSL session reuse with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1829
diff
changeset
|
174 if $t->has_module('LibreSSL') && test_tls13(); |
1514
c6f27bcdd9d9
Tests: revised ssl.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1488
diff
changeset
|
175 |
1829
a78c32419f02
Tests: separate SSL session reuse tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1820
diff
changeset
|
176 is(test_reuse(8443), 1, 'tickets reused'); |
a78c32419f02
Tests: separate SSL session reuse tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1820
diff
changeset
|
177 is(test_reuse(8444), 1, 'tickets and cache reused'); |
1830
8dec885fa3da
Tests: LibreSSL and BoringSSL session reuse with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1829
diff
changeset
|
178 |
8dec885fa3da
Tests: LibreSSL and BoringSSL session reuse with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1829
diff
changeset
|
179 TODO: { |
8dec885fa3da
Tests: LibreSSL and BoringSSL session reuse with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1829
diff
changeset
|
180 local $TODO = 'no TLSv1.3 session cache in BoringSSL' |
8dec885fa3da
Tests: LibreSSL and BoringSSL session reuse with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1829
diff
changeset
|
181 if $t->has_module('BoringSSL') && test_tls13(); |
8dec885fa3da
Tests: LibreSSL and BoringSSL session reuse with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1829
diff
changeset
|
182 |
1829
a78c32419f02
Tests: separate SSL session reuse tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1820
diff
changeset
|
183 is(test_reuse(8445), 1, 'cache shared reused'); |
a78c32419f02
Tests: separate SSL session reuse tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1820
diff
changeset
|
184 is(test_reuse(8446), 1, 'cache builtin reused'); |
a78c32419f02
Tests: separate SSL session reuse tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1820
diff
changeset
|
185 is(test_reuse(8447), 1, 'cache builtin size reused'); |
664
97660514e518
Tests: more http ssl tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
503
diff
changeset
|
186 |
1478
f9718a0773b9
Tests: skip TLS 1.3 session reuse tests with older Perl modules.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1449
diff
changeset
|
187 } |
1830
8dec885fa3da
Tests: LibreSSL and BoringSSL session reuse with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1829
diff
changeset
|
188 } |
664
97660514e518
Tests: more http ssl tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
503
diff
changeset
|
189 |
1829
a78c32419f02
Tests: separate SSL session reuse tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1820
diff
changeset
|
190 is(test_reuse(8448), 0, 'cache none not reused'); |
a78c32419f02
Tests: separate SSL session reuse tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1820
diff
changeset
|
191 is(test_reuse(8449), 0, 'cache off not reused'); |
1608
2f00ed2e0d1a
Tests: added test for SSL shutdown on lingering close.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1552
diff
changeset
|
192 |
1675
0d1cec688111
Tests: logging ssl variables with lingering close.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1655
diff
changeset
|
193 $t->stop(); |
0d1cec688111
Tests: logging ssl variables with lingering close.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1655
diff
changeset
|
194 |
1723
3581dc3c1937
Tests: added ssl test for "unexpected eof while reading".
Sergey Kandaurov <pluknet@nginx.com>
parents:
1695
diff
changeset
|
195 like(`grep -F '[crit]' ${\($t->testdir())}/error.log`, qr/^$/s, 'no crit'); |
3581dc3c1937
Tests: added ssl test for "unexpected eof while reading".
Sergey Kandaurov <pluknet@nginx.com>
parents:
1695
diff
changeset
|
196 |
370
74cfe56c7b83
Tests: simple https tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
197 ############################################################################### |
74cfe56c7b83
Tests: simple https tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
198 |
1829
a78c32419f02
Tests: separate SSL session reuse tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1820
diff
changeset
|
199 sub test_tls13 { |
a78c32419f02
Tests: separate SSL session reuse tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1820
diff
changeset
|
200 return get('/protocol', 8443) =~ /TLSv1.3/; |
a78c32419f02
Tests: separate SSL session reuse tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1820
diff
changeset
|
201 } |
a78c32419f02
Tests: separate SSL session reuse tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1820
diff
changeset
|
202 |
a78c32419f02
Tests: separate SSL session reuse tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1820
diff
changeset
|
203 sub test_reuse { |
a78c32419f02
Tests: separate SSL session reuse tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1820
diff
changeset
|
204 my ($port) = @_; |
a78c32419f02
Tests: separate SSL session reuse tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1820
diff
changeset
|
205 my $ctx = get_ssl_context(); |
a78c32419f02
Tests: separate SSL session reuse tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1820
diff
changeset
|
206 get('/', $port, $ctx); |
a78c32419f02
Tests: separate SSL session reuse tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1820
diff
changeset
|
207 return (get('/', $port, $ctx) =~ qr/^body r$/m) ? 1 : 0; |
a78c32419f02
Tests: separate SSL session reuse tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1820
diff
changeset
|
208 } |
a78c32419f02
Tests: separate SSL session reuse tests.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1820
diff
changeset
|
209 |
1067
4606a2ec3d7c
Tests: ssl.t cleanup, no functional changes.
Sergey Kandaurov <pluknet@nginx.com>
parents:
974
diff
changeset
|
210 sub get { |
1514
c6f27bcdd9d9
Tests: revised ssl.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1488
diff
changeset
|
211 my ($uri, $port, $ctx) = @_; |
c6f27bcdd9d9
Tests: revised ssl.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1488
diff
changeset
|
212 my $s = get_ssl_socket($port, $ctx) or return; |
1132
3d312b6a1a19
Tests: avoid $ssl_session_reused tests failure with OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1116
diff
changeset
|
213 my $r = http_get($uri, socket => $s); |
3d312b6a1a19
Tests: avoid $ssl_session_reused tests failure with OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1116
diff
changeset
|
214 $s->close(); |
3d312b6a1a19
Tests: avoid $ssl_session_reused tests failure with OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1116
diff
changeset
|
215 return $r; |
1067
4606a2ec3d7c
Tests: ssl.t cleanup, no functional changes.
Sergey Kandaurov <pluknet@nginx.com>
parents:
974
diff
changeset
|
216 } |
4606a2ec3d7c
Tests: ssl.t cleanup, no functional changes.
Sergey Kandaurov <pluknet@nginx.com>
parents:
974
diff
changeset
|
217 |
1514
c6f27bcdd9d9
Tests: revised ssl.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1488
diff
changeset
|
218 sub get_ssl_context { |
c6f27bcdd9d9
Tests: revised ssl.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1488
diff
changeset
|
219 return IO::Socket::SSL::SSL_Context->new( |
c6f27bcdd9d9
Tests: revised ssl.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1488
diff
changeset
|
220 SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE(), |
c6f27bcdd9d9
Tests: revised ssl.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1488
diff
changeset
|
221 SSL_session_cache_size => 100 |
c6f27bcdd9d9
Tests: revised ssl.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1488
diff
changeset
|
222 ); |
c6f27bcdd9d9
Tests: revised ssl.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1488
diff
changeset
|
223 } |
c6f27bcdd9d9
Tests: revised ssl.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1488
diff
changeset
|
224 |
370
74cfe56c7b83
Tests: simple https tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
225 sub get_ssl_socket { |
1514
c6f27bcdd9d9
Tests: revised ssl.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1488
diff
changeset
|
226 my ($port, $ctx, %extra) = @_; |
370
74cfe56c7b83
Tests: simple https tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
227 my $s; |
74cfe56c7b83
Tests: simple https tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
228 |
74cfe56c7b83
Tests: simple https tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
229 eval { |
74cfe56c7b83
Tests: simple https tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
230 local $SIG{ALRM} = sub { die "timeout\n" }; |
74cfe56c7b83
Tests: simple https tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
231 local $SIG{PIPE} = sub { die "sigpipe\n" }; |
1421
4e48bf51714f
Tests: aligned various generic read timeouts to http_end().
Sergey Kandaurov <pluknet@nginx.com>
parents:
1407
diff
changeset
|
232 alarm(8); |
370
74cfe56c7b83
Tests: simple https tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
233 $s = IO::Socket::SSL->new( |
74cfe56c7b83
Tests: simple https tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
234 Proto => 'tcp', |
664
97660514e518
Tests: more http ssl tests.
Andrey Zelenkov <zelenkov@nginx.com>
parents:
503
diff
changeset
|
235 PeerAddr => '127.0.0.1', |
1514
c6f27bcdd9d9
Tests: revised ssl.t.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1488
diff
changeset
|
236 PeerPort => port($port), |
370
74cfe56c7b83
Tests: simple https tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
237 SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE(), |
74cfe56c7b83
Tests: simple https tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
238 SSL_reuse_ctx => $ctx, |
1068
d0ec761774a5
Tests: client certificate issuer/subject variables.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1067
diff
changeset
|
239 SSL_error_trap => sub { die $_[1] }, |
d0ec761774a5
Tests: client certificate issuer/subject variables.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1067
diff
changeset
|
240 %extra |
370
74cfe56c7b83
Tests: simple https tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
241 ); |
74cfe56c7b83
Tests: simple https tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
242 alarm(0); |
74cfe56c7b83
Tests: simple https tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
243 }; |
74cfe56c7b83
Tests: simple https tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
244 alarm(0); |
74cfe56c7b83
Tests: simple https tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
245 |
74cfe56c7b83
Tests: simple https tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
246 if ($@) { |
74cfe56c7b83
Tests: simple https tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
247 log_in("died: $@"); |
74cfe56c7b83
Tests: simple https tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
248 return undef; |
74cfe56c7b83
Tests: simple https tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
249 } |
74cfe56c7b83
Tests: simple https tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
250 |
74cfe56c7b83
Tests: simple https tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
251 return $s; |
74cfe56c7b83
Tests: simple https tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
252 } |
74cfe56c7b83
Tests: simple https tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
253 |
74cfe56c7b83
Tests: simple https tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
254 ############################################################################### |